From feff7f4343541c958bc09c17ff67da75bb3f690e Mon Sep 17 00:00:00 2001
From: Robert Elder <robert@robertelder.org>
Date: Thu, 2 Oct 2014 02:04:03 +0000
Subject: [PATCH] tokens for multipart data upload.

---
 .../controllers/PluploadController.php        | 26 ++++++++++++++++---
 .../views/scripts/plupload/index.phtml        |  1 +
 .../public/js/airtime/library/plupload.js     |  5 +++-
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/airtime_mvc/application/controllers/PluploadController.php b/airtime_mvc/application/controllers/PluploadController.php
index 9698b163a..42e64c8d6 100644
--- a/airtime_mvc/application/controllers/PluploadController.php
+++ b/airtime_mvc/application/controllers/PluploadController.php
@@ -24,15 +24,33 @@ class PluploadController extends Zend_Controller_Action
         $this->view->headScript()->appendFile($baseUrl.'js/plupload/i18n/'.$locale.'.js?'.$CC_CONFIG['airtime_version'],'text/javascript');
 
         $this->view->headLink()->appendStylesheet($baseUrl.'css/plupload.queue.css?'.$CC_CONFIG['airtime_version']);
+
+        $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $csrf_namespace->setExpirationSeconds(900);
+        $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
+
+        $csrf_element = new Zend_Form_Element_Hidden('csrf');
+        $csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');
+        $csrf_form = new Zend_Form();
+        $csrf_form->addElement($csrf_element);
+        $this->view->form = $csrf_form;
     }
 
     public function uploadAction()
     {
-        $upload_dir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
-        $tempFilePath = Application_Model_StoredFile::uploadFile($upload_dir);
-        $tempFileName = basename($tempFilePath);
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $this->_getParam('csrf_token');
+        $expected_csrf_token = $current_namespace->authtoken;
 
-        $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "tempfilepath" => $tempFileName));
+        if($observed_csrf_token == $expected_csrf_token){
+            $upload_dir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
+            $tempFilePath = Application_Model_StoredFile::uploadFile($upload_dir);
+            $tempFileName = basename($tempFilePath);
+         
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "tempfilepath" => $tempFileName));
+        }else{
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match."));
+        }
     }
 
     public function copyfileAction()
diff --git a/airtime_mvc/application/views/scripts/plupload/index.phtml b/airtime_mvc/application/views/scripts/plupload/index.phtml
index cf236b8d6..47187c63e 100644
--- a/airtime_mvc/application/views/scripts/plupload/index.phtml
+++ b/airtime_mvc/application/views/scripts/plupload/index.phtml
@@ -4,6 +4,7 @@
 }
 </style> 
 <form id="plupload_form">
+        <?php echo $this->form->getElement('csrf') ?>
 	<div id="plupload_files"></div>	
 </form>
 <div id="plupload_error">
diff --git a/airtime_mvc/public/js/airtime/library/plupload.js b/airtime_mvc/public/js/airtime/library/plupload.js
index 2d76b3383..2e7f0b56f 100644
--- a/airtime_mvc/public/js/airtime/library/plupload.js
+++ b/airtime_mvc/public/js/airtime/library/plupload.js
@@ -11,7 +11,10 @@ $(document).ready(function() {
 		multiple_queues : 'true',
 		filters : [
 			{title: "Audio Files", extensions: "ogg,mp3,oga,flac,wav,m4a,mp4,opus"}
-		]
+		],
+                multipart_params : {
+                    "csrf_token" : $("#csrf").attr('value'),
+                }
 	});
 
 	uploader = $("#plupload_files").pluploadQueue();